'''Building The DEF CON Network, Making A Sandbox For 10,000 Hackers'''

'''Building The DEF CON Network, Making A Sandbox For 10,000 Hackers'''

Latest revision as of 21:19, 8 March 2013

December 19 2012, Daily Grill - Downtown LA

Final OWASP Meeting of 2012, Just Before the End of the World

Network with your OWASP peers as we celebrate the last days on earth, according to the Mayan calendar. Or, if you are a non-believer, share good stories and research with the most enlightened group of web security folks west of the Mississippi. Operators are standing by.

November 28 2012, Symantec Offices, Culver City

WCF Security – Securing your Service Oriented Architecture

Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session, Adnan Masood will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.

This talk is focused on WCF security features with code demonstration to use behaviors and bindings toconfigure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.

Targeted towards solution architects and developers, this talk will provide you architectural guidanceregarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

Speaker: Adnan Masood

Adnan Masood works as a web architect / technical lead for a financial institution where he develops SOA based middle-tier architectures, distributed systems, and web-applications using Microsoft technologies. He is a Microsoft Certified Trainer holding several technical certifications, including MCPD (Enterprise Developer), MCSD .NET, and SCJP-II. Adnan is attributed and published in print media and on the Web; he also teaches Windows Communication Foundation (WCF) courses at the University of California at San Diego and regularly presents at local code camps and user groups. He is actively involved in the .NET community as cofounder and president of the of San Gabriel Valley .NET Developersgroup.

Adnan holds a Master’s degree in Computer Science; he is currently a doctoral student working towards PhD in Machine Learning; specifically discovering interestingness measures in outliers using Bayesian Belief Networks. He also holds systems architecture certification from MIT and SOA Smarts certification from Carnegie Melon University.

October 29 2012, Symantec Offices, Culver City

Carpe Datum: Drinking from the espresso firehose we know as Shodan

Have you ever stayed up until 5am fiendishly digging around on shodan? I have. More times than I care to admit. I’m starting to find patterns. Shodan is genius. It’s a glorious search engine that catalogs the banners from TCP connections on several ports – for the entire IPV4 internet. This makes for some bodacious late night reading. The findings, on the other hand, are in a lot of cases most heinous. SCADA, Power company networks and controls, thousands of webcams, weed growrooms, .gov/.mil border routers and sharepoint systems. It’s a little overwhelming. I decided to sift it all through a strainer to make it easier to take in. So I wrote a scraper script and a viewer to better parse the results! Come with me on an excellent adventure – but without Bill or Ted – more like the haunted mansion ride, except all the ghosts and spooks are systems or cameras left wide open on the internet. Did you know you could telnet into hydrogen fuel cells? Neither did I!

Insecure software applications are the biggest threat to data breaches & the source of over 90% of all security vulnerabilities according to NIST. Software security tools & training have been available for years. So why do most organizations still produce insecure code? This session discusses a 10-year research study and an Application Security Maturity Model that documents how organizations mature over time and why so many application security initiatives fail.

Speaker: Ed Adams

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. He is a Ponemon Institute Fellow and founded the Application Security Industry Consortium, Inc. (AppSIC), a non-profit association established to define cross-industry application security metrics and best practices. He sits on the board of the Massachusetts North Shore Technology Council (NSTC), National Association of Information Security Groups (NAISG), and the International Secure Software Engineering Council (ISSECO).

August 1 2012, Symantec Offices, Culver City

This will be about Black Hat/DEFCON recap.

June 27, 2012, Symantec Offices, Culver City

Flame Malware

The discovery of the Flame malware that targets Middle Eastern countries, predominantly Iran, has brought politically motivated threats into the spot light again.
In this talk I will discuss the Flame malware and contrast it with other politically motivated threats we have seen. I will discuss how Flame was discovered, what it is capable of and give updates on the latest analysis. In addition I will talk about the increasing use of cyber espionage and what that may mean for software developers.
Flame is peculiar in that it was written with a combination of C++, Lua and sqlite. I will show how the threat uses these technologies and how that differs from the malware we see every day.

Speaker: Liam O Murchu

Liam O Murchu is a manager of Security Response at Symantec. He has appeared on CBS 60 Minutes about Stuxnet virus. He has also presented about Stuxnet at Los Angeles chapters of OWASP and ISSA.
http://www.cbsnews.com/video/watch/?id=7400892n

May 23, 2012 at 6:45PM. Symantec Offices, Culver City

Data Mining a Mountain of Zero Day Vulnerabilities

Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions.
Which industries have the most secure and least secure code? What types of mistakes do developers make most often? Which languages and platforms have the apps with the most vulnerabilities? Should you be most worried of internally built apps, open source, commercial software, or outsourcers? These questions and many more will be answered as we tunnel through zero day mountain.

Speaker: Chris Wysopal

Chris Wysopal, Veracode’s CTO and Co-Founder, is responsible for the company’s software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He is an author of L0phtCrack and netcat for Windows. He is the lead author of “The Art of Software Security Testing” published by Addison-Wesley.

We will cover on how the DEF CON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for us, and what didnt work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed us to support several thousand users concurrently. In addition I will cover the new WPA2 enterprise deployment, what worked, and what didnt, and how the DEF CON team has made the Rio network rock!

Speaker: David M. N. Bryan

David M. N. Bryan has 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEF CON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he runs the local DEF CON group, DC612, is the president of Twincities Makers group, and participates in the Minneapolis OWASP chapter.

February 22, 2012, Symantec Offices, Culver City

SharePoint Hacking Diggity Project

The SharePoint Hacking Diggity Project is a research and development initiative dedicated to investigating the latest tools and techniques in hacking Microsoft SharePoint technologies. This project page contains downloads and links to our latest SharePoint Hacking research and free security tools. Assessment strategies are designed to help SharePoint administrators and security professionals identify common insecure configurations and exposures introduced by vulnerable SharePoint deployments.

Speaker: Francis Brown

Francis Brown, MCSE, CISA, CISSP, is responsible for overseeing the company’s business operations as well as finance and administration functions. He also manages Stach & Liu’s 6sigma service quality program and leads internal practice development initiatives.

Before joining Stach & Liu, Francis worked in the Global Risk Assessment team at Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.

Francis has presented his research at leading conferences such as Black Hat USA, DEFCON, InfoSec World, and has been cited in numerous industry and academic publications.

Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.

January 25, 2012, Symantec Offices, Culver City

Cloud Security

It is no surprise that the emergence of cloud computing and virtualization are creating a noticeable buzz across the IT space.

Still, the cloud by itself is a mystery to many customers. When information security is introduced to the mix, the picture becomes Cloudy. Add compliance requirements such as PCI, and it's downright Stormy! In this presentation, Mr. Zigweid will discuss ways to achieve data security in a cloud environment. This includes what a cloud customer should watch out for and what they should expect from their provider in order to meet compliance requirements.

Speaker: Rob Zigweid

Robert Zigweid is an accomplished developer and application tester with advanced skills in the creation and analysis of systems architecture and threat modeling. As a Senior Security Consultant at IOActive, he works with clients to discover and solve network and application problems that threaten their business goals and assets. In addition to his direct efforts on penetration tests, security reviews, and network and application audits, Zigweid contributes to the advancement of more stable, secure systems through his research and development. He was a co-founder of OSJava, is working on a JDBC driver and more robust Java class loader, and has conducted groundbreaking research that will further the formal understanding of application and network security for audiences at varying levels of technical fluency